Security Archive

After nearly three years, this will be the last post on AlliOSNews. This weekend I experienced customer service so shockingly poor – so utterly unacceptable that I can no longer support Apple. It is disappointing but having spent the last two days in a red mist of anger, it is time to kiss them off pretty much the same way they have kissed me off.

It started with me waking up and checking my email. at 4:44 AM someone changed my password on my iCloud account. Now I have enabled two-factor authentication on the account and, logic dictates, that even if someone managed to get the password, they would have to have my other information (recovery key, the physical devices in hand) to get into my account. Clearly that was not the case.

With a bit of a panic I went to AppleID.Apple.Com to find out what was going on. I tried to log in and failed and then was prompted for my recovery key. I entered that assuming all was well. No. The Recovery Key was wrong. Now I’m in a formal panic. I call Apple and I’m informed that my account has been compromised. How was this even possible with two-factor authentication?

I spend the next few hours trying to sort out what’s going on and speaking to Apple all the time. The nutshell of it was that my account had been compromised, the Recovery Key had been changed, and the account was fully locked and encrypted. There was no way to get any of my data back.

Now I know this is the case with data. I get it. I signed up for two-factor Authentication for a reason. To prevent this very scenario. But clearly there is something not right with how Apple has implemented it. Somehow, some way, my account was compromised despite it being enabled. I was okay with losing the data. To be honest, aside from some contacts, most of what I have was in other services. Something in the back of my head told me not to fully trust iCloud.

Here is the really bad part of the story. Actually, it’s the shitty part of the story.

Because my Apple ID was tied to my iPhone, iPad Air and iPad Mini, they are, in Apple’s words, bricked. Without being able to get into the account, these devices are tied to my Apple ID (which is now completely locked down and unavailable to anyone including, apparently, Apple) and cannot be tied to any other Apple ID. The Apple support persons exact – and completely careless comment to me: “Yeah, you are pretty much cooked”.

So let me get this straight Apple. I’ve spent thousands of dollars with you. I’ve done what you have suggested (or forced me to do) by tying my devices to my Apple ID. I’ve then enabled two-factor authentication – which you say can’t be broken – and because of your issue, I am no longer able to use any of my devices? Thanks for that.

The only way I’m told by Apple to get all of my devices back and register them with another Apple ID is to show proof of purchase. Despite the fact that the Apple support people could see the devices I had and I repeatedly told them I had them in my possession, they said because of security they would have to have proof of purchase and engineering may decide to let me back into them in 6-8 weeks.

Awesome. Pure Awesome.

The data is one thing but to render my devices useless is unacceptable. This was not my fault Apple. Even if it was, your poor security is pretty draconian when it comes to paying for a mistake. Seriously – I forget my password and you lock me out of everything? Including my iPad and Mac? Wow. Just. Wow.

The moral of the story is two fold peeps. First, if you are going to use Apple products I would not enable two-factor authentication. It’s clearly broken and clearly able to be compromised. Run the risk of single-factor and come up with a really, really, really good password and hope for the best.

Second, if you can avoid Apple products, do it. Clearly no matter how much you spend with them they do not care. Their lack of a back door to prevent this kind of thing from happening is simply unacceptable. Their poor security implementation has rendered my devices constantly nagging me for a password I can never hope to know or unable to activate.

As for me, I’m composing this on my re-formatted MacBook Pro running Windows 8. Next to me is my Lumia 1320 Windows Phone. My data is safe and secure in services other than iCloud. And on the book case in front of me sits an effectively dead iPad Air, iPhone 5S and iPad Mini.

I’ll let you know if engineering decides to be nice and let me have my devices again. Regardless of the outcome, I’m done with Apple.

OS X users now have a security patch available to address the Shellshock security flaw that was discovered in recent weeks. The update, which is available on the Apple Support website, is available for OS X Mavericks, OS X Mountain Lion and OS X Lion. It is presumed that the issue is already addressed in OS X Yosemite or will be updated in a patch during its current beta cycle.

If you aren’t familiar with what the Shellshock security flaw is exactly, Apple provided the following statement to MacRumors last week on it.

Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

There are a couple of things to keep in mind on this flaw. First, you likely aren’t impacted so no need to panic at the disco. Second, even if you never use Terminal and the shell commands, you should update anyway. Better to be safe than sorry later.

Earlier this week you undoubtedly heard of the iCloud security breach that happened to some well know celebrities. While Twitter and other places lit up with nudie pics of the like of Jennifer Lawerence, there were a lot of people at Apple frantically trying to find the source of the problem. Was it a real breach? Was there an inherent flaw in iCloud where anyone and everyone could be compromised?

The short answer is no. This came down to, at the most basic level, a brute force attack against usernames and passwords. It was the latest in what seems to be a weekly announcement of someone having data security compromised by hackers. The problem of course is that we all have digital data – digital footprints and fingerprints – all over the Internet. From our Facebook account(s) to Twitter to our Banks. Even our identification to remotely access our corporate networks. Nobody is immune but you can protect yourself as best as possible.

Identification security is something we should all be vigilant about whether it is on our smartphones, our PCs or Macs. Security breaches happen at the weakest point so the goal is to make it difficult to discourage but also no so difficult that you yourself are unable to access your data. Here then are a few tips that you should consider when it comes to your personal data security.

Use Complex Passwords

The most basic thing you can do in personal data security is use complex passwords. That is, use passwords with a mixture of:

Upper-Case Letters

Lower-Case Letters

Numbers

Special Character such as @£$%!

At least 8 characters long

Passwords should also not be associate with any personally identifying information such as:

Birthdays (yours, your spouses, your children, etc)

Your address

Your National Identification/Social Security Number

Complex passwords serve as a strong deterrent for those who would potentially try to gain access to your data. While any password can be compromised with enough time, complex ones point hackers to easier targets.

The new TimeLock PRO app is the most effective and unique security app available right now. It is not only a timeless clock with an alarm function, but also a high security vault for your personal photos, notes and documents. The vault itself is completely invisible, hidden in the design of the clock. This is truly an ingenious way of hiding information in plain sight by using the latest security technologies TimeLock PRO keeps all pictures and videos militarily secure, because the entire contents of the vault is encrypted with the strong 256-bit AES (Advanced Encryption Standard) algorithm.

Constantly worrying about the security of photo and video files in an iOS device is enough to drive people crazy, after all it is impossible to keep a constant close eye on all mobile devices to make sure it is not going in to the wrong hands. It is fair to say that almost every person has something in their iPhone, iPad or iPod touch that they would like to keep private, secure from other people. There has long been a need for an app that is not as obvious and effectively able to hide all the information that needs to remain hidden to be really secure.

The TimeLock app is the most effective and unique security app available right now. It is not only a timeless clock with an alarm function, but also a high security vault for your personal photos and videos. The vault itself is completely invisible, hidden in the design of the clock.

With the news on New Year’s Day 2014 that the popular social network SnapChat had been breached and some 4.6 million users information had been exposed, it highlights once again the importance of maintaining good security habits with your information and accounts online. While we depend on companies who provide these services to be secure, we as users also have a responsibility of making sure we do our part. In this How To we are going to cover how to stay more secure on the Internet by going over some of the basics that we all need to follow.

To start, let’s be pointblank: Security online is a PITA (Pain In The Ass). It’s not fun. It’s not easy. It certain is time consuming and on the surface there appears to be very little reward for doing it. But the reward is there and it comes in the form of not losing control of your accounts by someone with less-than-admirable qualities. Security breaches can and will happen and if your passwords and accounts are more secure than others, hackers will simply pass by your account to go to an easier one.

Create a Secure Password

The first and most important thing to do is create a properly secure password. That means it is complex and dare I say not easy to remember. Passwords should be complex, containing a mixture of alphanumeric, should be case sensitive (A and a for example) and have special characters such as !, $ or @. Last but not least, it should have 8 characters in it. For example, Atuxe87Ev1! (and no, that is not a password to anything of mine). The general rule is the more complex you can make your passwords the better. It should also not be based on a known word but be as random as possible.

But let’s be clear: No password is 100%. Hackers have tools out there that can hash out even the most complex of passwords. The objective of the game here is to be difficult so they move along to the next person.

How then do you keep up with all these passwords that you can’t remember? Use a wallet type application to keep track of all of them. I personally use eWallet from Ilium Software as it syncs with my iPhone, iPad and Mac but there are others out there. One nice thing about eWallet is it also has a password generator to create these complex passwords for you.

Don’t Use The Same Password Twice

So now that you’ve created a complex password, the temptation will be to use it for other sites. Do. Not. Do. It.

Every site and every service you use should have it is own unique password. It sounds straight forward but many people out there use the same password for everything online. That means that once someone has your password once, they have access to everything. Everything.

ProtectStar today released its new security app, TimeLock for iPhone and iPod touch. No one will have the idea that there is a highly secure and protected safe ingeniously hiding in an alarm clock. The TimeLock app allows iDevice owners to securely store photos and videos, inside a data vault, where all contents are encrypted using powerful 256-bit AES algorithms.

Constantly worrying about the security of photo and video files in an iOS device is enough to drive people crazy, after all it is impossible to keep a constant close eye on all mobile devices to make sure it is not going in to the wrong hands. It is fair to say that almost every person has something in their iPhone, iPad or iPod touch that they would like to keep private, secure from other people. There has long been a need for an app that is not as obvious and effectively able to hide all the information that needs to remain hidden to be really secure.

The new TimeLock app is the most effective and unique security app available right now. It is not only a timeless clock with an alarm function, but also a high security vault for your personal photos and videos. The vault itself is completely invisible, hidden in the design of the clock.

The Wall Street Journal has confirmed a long running rumour that the iPhone 5S, expected to be announced today by Apple, will indeed have a fingerprint scanner for added security. The article from Danny Yadron states,

People familiar with the matter said last week that Apple will include a fingerprint scanner on the more expensive of two iPhones it is expected to unveil Tuesday at an event at its Cupertino, Calif., headquarters.

The article goes on to state that at least one Android powered phone is expected to have a fingerprint scanner this year but it was unclear where that device would be sold.

Fingerprint scanners are not new, even on mobile devices, but the technology is a quantum leap ahead of where it was just a few years ago. It is far more reliable and accurate and it provides a very high barrier for entry into a stolen device. Passwords, especially 4 digit PINs are not highly secure and can be cracked quite easily (see our How To on creating a more complex passcode on your iPhone). Having a fingerprint scanner as a security method should dramatically improve device security.

The once concern we at AlliOSNews have brought up with the idea of a fingerprint scanner in the iPhone 5S is the need for a PIN entry for those who are physically challenged. There are many iPhone users who have to use a stylus or cannot extend their fingers in order for a fingerprint scanner to work. Hopefully Apple will indeed have made the biometric security optional for those who need it.

Ilium Software has released a nice update to their eWallet for iOS app in the App Store today. The update, version 7.5 for those keeping score, brings a significant number of improvements that are aimed at making the user experience better on their iPhone or iPad.

If you aren’t familiar with eWallet for iOS, it is a password and other important information “wallet” but also has a built-in

eWallet for iOS

password generator and leverages iCloud for syncing of your wallet across all your devices. It’s my personal favourite wallet application and I’ve been using eWallet since way, way, way back in my Windows Mobile days.

The biggest change in this update comes in the form of AutoPass. This feature will automatically insert user names and passwords on websites when they are launched from eWallet. It’s a great feature that Ilium has had as part of eWallet for Mac for some time now. Having on your iPhone or iPad – where the majority of do our web surfing anyway – just makes sense and it is a welcome addition. eWallet for iOS also has improved the card editing screens for faster and easier entry of data on new cards and a whole new screen for an easier adding of a card to your wallet.

Ilium spent a fair amount of time in this release to also educate new users. There is a while new introduction for new users to explain the app and its use as well as an improved sample wallet for users to understand how their eWallet is built and structured. Kudos to Ilium for giving new users some information to help them along. Too many developers simply assume that you know how their app works. That’s not always the case.

eWallet for iOS is a Universal app for iPhone & iPad and is $9.99 in the App Store. This update is free to existing eWallet users. Right now eWallet for Mac is on sale in the Mac App Store for $9.99 where it is normally $19.99. Having the app on your Mac allows you to synchronise your wallet file between your devices and Mac.

Marcus Roskosch, independent software developer and founder of Creating Your App, just released his new iOS app Network Toolbox for iPhone, iPod and iPad.

Despite of rumors about the NSA Prism scandal or Chinese Hackers attacking networks and servers around the world, there is something that each of us can do to increase cyber security.

Network Toolbox helps to identify security issues or wrong configurations of your local or public networks that often

Network Toolbox for iPhone

makes it too easy for cyber attackers to break into your systems.

Even for an inexperienced user, it will now be easier than ever to check your home network for ports that are unintentionally left open to the web. By using this Network Toolbox app, such a security scan can be performed within seconds by following the included Guides and How-To’s. An included Glossary also explains terms from A like “Access control” to Z like “Zero day”.

For deeper security analysis, Network toolbox offers various tools to connect and inspect your networks. Regular Network tools like Browsers, Mail or FTP clients usually hide information about the connected server from the user. Network toolbox on the other hand can visualize such information as this information is often the first starting point for a cyber-attack. Cyber criminals can use this information to learn about your network and to find vulnerable devices.

By using this app, you will be able to identify such issues and once they are identified, they can often easily be solved.

“Don’t trust the evil,” Marcus said on his website. Don’t trust what suppliers of NAS Servers, Web-Cameras, Backup devices or Network router tells you. Often those devices are shipped poorly pre-configured and just claim to be secure. Be your own Hacker and try to compromise your own network to locate those devices and protect your data.

Network Toolbox 2.01.01 is $5.99 USD (or equivalent amount in other currencies) and available worldwide exclusively through the App Store in the Productivity category.